[IgorPartola]

Sure, if you want to break JS the language. JS doesn't have a concept of "here have a variable with data inside of it but you cannot touch it". Ask yourself: "what does 'display' unencrypted data mean?"You are describing a different system entirely from what an HTML renderer + JavasScript engine can do.

[pcwalton]

> JS doesn't have a concept of "here have a variable with data inside of it but you cannot touch it".

Actually, it does: closures (and WeakMap in ES6 has similar properties). They're pretty foolproof for information hiding, if used properly. (But this is irrelevant to tptacek's point about the security of crypto in JS, of course.)

[IgorPartola]

I don't think this is what the grandparent is envisioning. Also closures are great until you are able to replace the code that produces them, or read straight from the DOM at the place where you mail client is displaying the decrypted data.